dcp打包与kdm加密DCP kdm 加密 xml
dcp打包与kdm加密
准备
介绍
架构
dcp打包
kdm加密
Authenticated and Private (Encrypted) Information
具体操作步骤
GUI
CMD
相关内容
记录安装过程
mkkdm.py 运行
资料链接
准备安装xmlspy, 便于查看xml文件.
安装 dcp-o-matic, 目前流行的一个dcp打包与kdm加密工具, 网站介绍是Free, open-source DCP creation from almost anything.
介绍DCP, Digital Cinema Package
KDM, Key Delivery Message
A Digital Cinema Package (DCP) contains high quality audio-visual files in the Material Exchange Format (MXF). The preferred format for picture is SMPTE (JPEG 2000). Audio is usually supplied as a 24-bit linear PCM multichannel WAV file. Encryption with 128-bit AES-CBC is optional.
When the Digital Cinema Package is encrypted the ability to playback files is controlled by a separate Key Delivery Message (KDM). The KDM is in XML format and contains the decryption keys for a specific projector or device including the period of validity. This ensures that the media cannot be used at another location or outside the agreed performance dates.
Software used for DCP and KDM creation includes: AutoDCP, CineAsset, Cinemaslides, CuteDCP, DCP-o-matic, Dolby SCC2000, DVS Clipster, easyDCP Creator, OpenDCP, and QubeMaster.
电影行业的音视频文件标准。
数字电影包(DCP)和密钥传送消息(KDM)分别用于图像/音频/字幕文件和加密密钥分发。
其中KDM也有如下定义:
DRM for Cinema, Key generated between a DCP and a MB (Media Block = projection system), Contains business information, like time window for showing the content.
MXF文件存储经过转换后的标准视频、音频文件。
AES 加密应用于所有MXF 文件。密钥通过KDM 生成并传输到投影机上。KDM 是只能被终端设备打开的XML文件。KDM和每一个播放列表相关联,规定正确的投影开始和结束时间。
架构
DCP 播放过程
文件名说明
dcp打包kdm加密KDM是基于 D-Cinema generic Extra-Theater Message(ETM) format. 它通过标准化的 XML的加密与签名部分, 实现了使用XML 来代表关于内容秘钥和TDL的信息. 其中, KDM的消息使用 X.509的数字证书,提供认证与信任机制.
KDM 包括3种基本的信息类型:
Content keys for a specified Composition Play List(CPL).
Content key parameters - primarily the permitted key usage data/time window.
The Trusted Device List(TDL) which identifies equipment permitted to use the content keys.
也就是
CPL的内容秘钥
内容秘钥的相关参数, 主要是秘钥允许使用的时间窗口
可以使用内容秘钥的经过认证的信任设备列表.
KDM的基本信息流如下图:
CPL与KDM结构的关系如下图:
参考 smpte 430-1 和 smpte 430-3
Authenticated and Private (Encrypted) Informationkdm文件中已验证和以加密的信息说明
This segment of the ETM shall be digitally signed, and trust in the signature can be verified using the certificate chain in the Signature portion. This portion is encrypted before being transmitted. The word “private” that appears in the XML label for this segment means that only a specified set of recipients is able to decrypt and view this information.
The formal XML definition is given in Annex C. Figure 3 is an informative illustration of the appropriate code section from that annex.
Anyone can verify the signature on the ETM and validate the certificate chain to decide whether the message has been modified and whether it was created by a trusted entity. However, only an entity that knows the private key of one of the recipients can decrypt this portion of the message.
This segment contains zero or more EncryptedKey fields and at most one EncryptedData field. The EncryptedKey field defines data (that includes an AES key) that is encrypted by the RSA algorithm and the Encrypted Data field defines data (if any) encrypted by the AES algorithm. It is a standard cryptographic security practice to use two encryption algorithms (RSA and AES) to get the key management benefit of using RSA and the performance benefits of using AES.
任何人都可以验证与核实kdm的证书链, 确认消息是否被修改以及是否由可信任的实体创建, 然而只有拥有私钥的接收者才能解密其消息.
对于KDM而言, xml中的EncryptedData 部分可以忽略, 每一个 EncryptedKey元素携带这一个内容秘钥(content key)和相关的信息. KDM文件只有1个接收者.
KDM中的 EncryptedKey元素的具体说明如下:
包含 KeyInfo, CipherData, EncryptedData 字段.
参考smpte 430-1 的标准文件. 6.1节 EncryptedKey
其中的CipherData字段由如下格式的固定字节长度的明文前后相连接在一起组成, 见下表格:
第一个字段是Structure ID, 16字节长度, 128位长的固定标示. 第2个字段是证书与公钥的Hash的二进制标示, 第3个字段是CPL的UUID的二进制表示, 第4个字段是KeyType, 4字节的字节字串, 第5个字段是KeyID, UUID的二进制形式, 第6个字段是开始时间, 第7个字段是结束时间,第8个字段是内容秘钥.
总共8个字段的长度累加是138字节长.
加密后的内容
具体操作步骤GUICMD相关内容散列值是SHA-1的Base64校验编码。可以通过命令来计算出来。
openssl sha1 -binary "FILE_NAME" | openssl base64
记录安装过程curl https://bootstrap.pypa.io/pip/3.5/get-pip.py -o get-pip.pypython3.5 get-pip.py --force-reinstall apt-get install build-essential libssl-dev libffi-dev python-devapt-get install build-essential libssl-dev libffi-dev python-devmkkdm.py 运行apt-get install python3update-alternatives --config pythonsudo pip uninstall cryptosudo pip uninstall pycryptoapt-get install build-essential libssl-dev libffi-dev python-devapt-get install libpcap-dev libpq-devapt install python3-devapt install python-devcurl https://bootstrap.pypa.io/pip/3.5/get-pip.py -o get-pip.pypython3.5 get-pip.py --force-reinstall #然后再安装 pip3 install lxmlpip3 install Cryptopip3 install rsapip3 install pycryptopip3 install signxml提示: c/_cffi_backend.c:2:20: fatal error: Python.h: No such file or directory compilation terminated. error: command 'x86_64-linux-gnu-gcc' failed with exit status 1 ---------------------------------------- ERROR: Failed building wheel for cffi Running setup.py clean for cffiFailed to build cffipip3 install pyinstallerpip3 freeze |grep cry -i
编译可执行:pyinstaller -F mkkdm.py 查找代码变量位置:
grep servicePriv ./ -rwn
查看dkdm:
vim DKDM/DKDM_aaa_FTR_Enc_2M_20210608_SMPTE_OV_20210608T000000_20210623T000000_20210608151215.678.xml
资料链接Inter-Society Digital Cinema Forum (ISDCF)
http://isdcf.com/ISDCF/index.html
SMPTE Documents needed for SMPTE-DCP packages:
https://cinepedia.com/references/
DRAFT ISDCF Doc5 - Guideline for SMPTE KDMs and Certificates Behaviors
http://isdcf.com/papers/ISDCF-Doc5-kdm-certs.pdf
DCP-o-matic
http://dcpomatic.com/
如何进行DCP打包?
https://www.zhihu.com/question/43605387?sort=created
Digital Cinema Mastering 101
https://www.slideshare.net/sundanceinstitute/graef-allen-dolby-dcp-presentation-deck-20130423
Digital cinema
https://www.slideshare.net/AnoopKAnand/digital-cinema-43413954
Development of Digital Cinema Delivery System on the NGN
https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr201005le1.html
Trusted Device List & Workflow
https://cinepedia.com/security/trusted-device-list/
Technology FAQs
https://cinepedia.com/faqs/technology-faqs/
D-cinema Digital Cinema System : Presentation, analysis, and open source perspectives RMLL 2010
http://slideplayer.com/slide/11347368/
SSL中,公钥、私钥、证书的后缀名都是些啥?
https://www.zhihu.com/question/29620953